Truthlocks logo
Security

RBAC & Audit.

Control who can do what within your organization, and maintain a complete, tamper-evident record of every action taken on the platform. Truthlocks RBAC ensures that the right people have the right access — nothing more, nothing less.

How RBAC Works

Role-Based Access Control (RBAC) means each team member is assigned a role that defines exactly what they can see and do. Instead of giving everyone full admin access, you give each person the minimum permissions they need to do their job.

Owner

  • Full administrative access
  • Manage billing and subscriptions
  • Invite and remove team members
  • Configure governance policies
  • Delete issuers and attestations

Admin

  • Create and manage issuers
  • Manage API keys
  • Configure webhooks
  • View audit logs
  • Rotate signing keys

Operator

  • Mint and revoke attestations
  • View issuer details
  • Use API keys (cannot create)
  • View own activity log
  • Cannot modify settings

Viewer

  • Read-only access to dashboard
  • View attestation status
  • View issuer information
  • Cannot create or modify anything
  • Ideal for compliance officers

Access Control Capabilities

Team Management

Invite team members via email with specific roles. Remove access instantly when someone leaves the organization. Manage permissions from the Console or via the API.

Least Privilege Enforcement

The platform enforces role boundaries at the API level. An Operator cannot escalate to Admin permissions, and a Viewer cannot modify resources — even through the API.

Governance Workflows

For sensitive operations like key rotation, issuer deletion, or bulk revocation, require multi-party approval from designated governance reviewers before execution.

API Key Scoping

API keys can be scoped to specific permissions and issuers. A key created for minting cannot be used to revoke attestations or modify settings.

Session & Token Management

Configure session timeout policies, enforce re-authentication for sensitive actions, and revoke active sessions for any team member instantly.

SSO & SCIM Integration

Enterprise customers can integrate with SAML/OIDC single sign-on providers and use SCIM for automated user provisioning and deprovisioning from your identity provider.

Comprehensive
Audit Logging

Every action on the Truthlocks platform is recorded in a tamper-evident audit log. Unlike traditional application logs, Truthlocks audit events are cryptographically chained using SHA-256 hashes — if any entry is modified or deleted, the chain breaks and the tampering is immediately detectable.

Audit logs are designed for compliance teams, security officers, and regulators who need to understand exactly who did what, when, and from where.

What Gets Logged

Authentication Events

Login, logout, failed attempts, session creation, API key usage

Attestation Operations

Mint, revoke, supersede, verify — with full request context

Team Changes

Member invited, role changed, member removed, permissions updated

Key Lifecycle

Key generated, rotated, compromised, retired — linked to affected attestations

Configuration Changes

Webhook updated, API key created/revoked, governance policy modified

Governance Actions

Approval request created, approved, rejected, executed

Built for Compliance

RBAC and audit logging work together to satisfy the access control and record-keeping requirements of major compliance frameworks.

SOC 2

Access control, logging, monitoring

GDPR

Data access audit, right to access

HIPAA

Access logs, minimum necessary

ISO 27001

A.9 Access control, A.12 Operations

Every Action.
Every User. Accounted For.

Start enforcing granular access control and maintaining tamper-evident audit trails across your entire organization.

Get StartedSecurity Overview